Cisco has issued an alert on a critical security flaw in its SPA112 2-Port Adapter, which is used by businesses to connect analog phones and fax machines to voice-over-IP systems without having to upgrade them.

The bug, known as CVE-2023-20126, has a base score of 9.8 out of 10 and is classified as critical. It may be used by a remote attacker to gain control of a compromised device and execute arbitrary code. According to Cisco, the vulnerability is caused by a missing authentication mechanism in the firmware upgrading function. An attacker might upgrade an affected device to a crafted version of firmware, allowing the attacker to execute arbitrary code with full privileges on the affected device.

The impacted adapter was phased out in June 2020, with Cisco recommending that clients switch to a Cisco ATA 190 Series Analog Telephone Adapter, which converts analog devices into IP devices for usage by corporations, small offices, and cloud operations.

According to Cisco’s Product Security Incident Response Team, there has been no exploitation of the issue, which was brought to the company’s notice by DBAPPsecurity.

The sources for this piece include an article in TheRegister.